diff --git a/common/pkg/config/config.go b/common/pkg/config/config.go index a035c7a77e..c118b11e94 100644 --- a/common/pkg/config/config.go +++ b/common/pkg/config/config.go @@ -12,7 +12,6 @@ import ( "github.com/containers/common/internal/attributedstring" "github.com/containers/common/libnetwork/types" - "github.com/containers/common/pkg/capabilities" "github.com/containers/storage/pkg/fileutils" "github.com/containers/storage/pkg/homedir" "github.com/containers/storage/pkg/unshare" @@ -979,24 +978,6 @@ func (c *Config) GetDefaultEnvEx(envHost, httpProxy bool) []string { return append(env, c.Containers.Env.Get()...) } -// Capabilities returns the capabilities parses the Add and Drop capability -// list from the default capabilities for the container -func (c *Config) Capabilities(user string, addCapabilities, dropCapabilities []string) ([]string, error) { - userNotRoot := func(user string) bool { - if user == "" || user == "root" || user == "0" { - return false - } - return true - } - - defaultCapabilities := c.Containers.DefaultCapabilities.Get() - if userNotRoot(user) { - defaultCapabilities = []string{} - } - - return capabilities.MergeCapabilities(defaultCapabilities, addCapabilities, dropCapabilities) -} - // Device parses device mapping string to a src, dest & permissions string // Valid values for device looklike: // diff --git a/common/pkg/config/config_linux.go b/common/pkg/config/config_linux.go index 66d193467a..d7a241de88 100644 --- a/common/pkg/config/config_linux.go +++ b/common/pkg/config/config_linux.go @@ -1,6 +1,7 @@ package config import ( + "github.com/containers/common/pkg/capabilities" selinux "github.com/opencontainers/selinux/go-selinux" ) @@ -26,3 +27,21 @@ var defaultHelperBinariesDir = []string{ "/usr/libexec/podman", "/usr/lib/podman", } + +// Capabilities returns the capabilities parses the Add and Drop capability +// list from the default capabilities for the container +func (c *Config) Capabilities(user string, addCapabilities, dropCapabilities []string) ([]string, error) { + userNotRoot := func(user string) bool { + if user == "" || user == "root" || user == "0" { + return false + } + return true + } + + defaultCapabilities := c.Containers.DefaultCapabilities.Get() + if userNotRoot(user) { + defaultCapabilities = []string{} + } + + return capabilities.MergeCapabilities(defaultCapabilities, addCapabilities, dropCapabilities) +} diff --git a/common/pkg/config/config_test.go b/common/pkg/config/config_test.go index b4f24c02d6..14109c2fd0 100644 --- a/common/pkg/config/config_test.go +++ b/common/pkg/config/config_test.go @@ -439,18 +439,21 @@ image_copy_tmp_dir="storage"` }, } - defCaps := []string{ - "CAP_CHOWN", - "CAP_DAC_OVERRIDE", - "CAP_FOWNER", - "CAP_FSETID", - "CAP_KILL", - "CAP_NET_BIND_SERVICE", - "CAP_SETFCAP", - "CAP_SETGID", - "CAP_SETPCAP", - "CAP_SETUID", - "CAP_SYS_CHROOT", + var defCaps []string + if runtime.GOOS == "linux" { + defCaps = []string{ + "CAP_CHOWN", + "CAP_DAC_OVERRIDE", + "CAP_FOWNER", + "CAP_FSETID", + "CAP_KILL", + "CAP_NET_BIND_SERVICE", + "CAP_SETFCAP", + "CAP_SETGID", + "CAP_SETPCAP", + "CAP_SETUID", + "CAP_SYS_CHROOT", + } } envs := []string{ @@ -480,7 +483,8 @@ image_copy_tmp_dir="storage"` gomega.Expect(config.Engine.OCIRuntimes["runc"]).To(gomega.Equal(OCIRuntimeMap["runc"])) gomega.Expect(config.Containers.CgroupConf.Get()).To(gomega.BeEmpty()) - caps, _ := config.Capabilities("", nil, nil) + caps, err := config.Capabilities("", nil, nil) + gomega.Expect(err).ToNot(gomega.HaveOccurred()) gomega.Expect(caps).Should(gomega.Equal(defCaps)) if useSystemd() { diff --git a/common/pkg/config/config_unsupported.go b/common/pkg/config/config_unsupported.go index 341225f10e..793a20ea8b 100644 --- a/common/pkg/config/config_unsupported.go +++ b/common/pkg/config/config_unsupported.go @@ -5,3 +5,9 @@ package config func selinuxEnabled() bool { return false } + +// Capabilities returns the capabilities parses the Add and Drop capability +// list from the default capabilities for the container +func (c *Config) Capabilities(user string, addCapabilities, dropCapabilities []string) ([]string, error) { + return nil, nil +}